1104

The security log is now full

The security log is now full. When the security log reaches maximum capacity and is configured to 'Do not overwrite events', no new security events can be recorded.

Event ID 1104 is generated when the Windows Security Event Log reaches its maximum allocated storage capacity and system log policy prevents overwriting older records. Once logged, the system stops writing new security telemetry until cleared.

Failure Reason / Root Cause:

Improper event log retention policy configuration, log storage capacity limits reached, or intentional log flooding by an adversary.

CategoryEvent Log
Audit typeSuccess Audit
SeverityCritical
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordslog full, capacity, overwrite, blindspot, retention policy, logging failure
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>1104</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.850Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to The security log is now full -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1562.002Impair Defenses: Disable Windows Event LoggingDefense Evasion

Recommended actions

Related events